Cryptographic Services

This secction provides information about the cryptographic services that can be used with your VersaLex system. The VersaLex products support three different cryptosystems: S/MIME, XML, and OpenPGP. S/MIME is suported through AS2 and AS3. XML is supported through ebXML and mailbox-level packaging. OpenPGP is supported through mailbox-level packaging.

The following pages describe the supported cryptographic services, as well as encryption, content integrity, and signatures.

S/MIME

Internet MIME (Multipurpose Internet Mail Extensions) messages consist of two parts: headers (describing the content) and a body (consisting of the actual data content or payload). MIME was not designed to provide for the application of security services, therefore S/MIME (Secure/Multipurpose Internet Mail Extensions) was created as a format and protocol for applying authentication, message integrity, non-repudiation (through the use of public key cryptography) and confidentiality (using encryption) to the Internet MIME message.

S/MIME is supported by transport mechanisms in one of either two versions: S/MIME v2 or S/MIME v3. The most notable difference between the two is that S/MIME v3 supports a wider variety and more secure set of encryption algorithms. The Cleo products support S/MIME v3; however, it is important to know which algorithms are supported by your trading partners before deciding upon the specific algorithms for both signing and encryption.

XML

XML Encryption and XML Signature are published recommendations of the World Wide Web Consortium (W3C). These recommendations define the syntax and processing rules for encrypting and signing data. Generally, the encrypted symmetric key is contained within the EncryptedKey element and the encrypted data is contained within the EncryptedData element. See http://www.w3.org/TR/xmlenc-core for detailed information regarding XML encryption. For digital signing, the Signature element is the primary element for encapsulating the digital signature. See http://www.w3.org/TR/xmldsig-core for detailed information regarding XML signatures. 

OpenPGP

OpenPGP is a non-proprietary protocol for encrypting using public key cryptography. The OpenPGP protocol defines standard formats for encrypted messages, signatures, and certificates for exchanging public keys. See RFC 2440 for detailed information on the OpenPGP Message Format. 

In order to sign and/or encrypt a message, at least one public/private key pair is needed. The public key is provided to users who want secure communication. The sender's private key is used to digitally sign a message. When this message is received, the sender's public key is used to verify the digital signature in order to prove that the message originated with the sender. 

For encryption, the sender uses the recipient's public key to encrypt the message. When the message is received, the recipient uses the recipient's own private key to decrypt the message. As long as the private key is protected and is accessible only by the originator, the recipient of a digitally signed message is able to confirm the originator of the message and both parties will be assured that the message has not been compromised.

Encryption guarantees the confidentiality of a data transaction.  Content integrity guarantees that the receiving trading partner gets the data in its originally sent form, ensuring that no modifications have been made to the data when it is in transit between trading partners.

Content integrity is achieved if the sender provides a digital signature, which includes an integrity control value. This value can be computed by using an appropriate cryptographic algorithm to fingerprint the data content. These cryptographic algorithms are called one-way hash functions or message integrity checks. Unlike encryption algorithms, however, one-way hash functions cannot be reversed or decrypted. One-way hash functions are constructed such that the probability is infinitely small that some arbitrary piece of plain-text can be hashed to a particular value, or that any two pieces of plain-text can be hashed to the same value. One-way hash values are usually 112 to 512 bits long. The longer the hash value, the more secure it is. 

One-way hash functions do not require a key. Common hash algorithms are SHA-1 (Secure Hash Algorithm 1), which generates a hash value of 160 bits, and MD5 (Message Digest 5) which generates a hash value of 112 bits. To determine content integrity, the sending trading partner adds a digital signature to the data content, which includes a one-way hash value of the message. This value is unique and fingerprints the transaction. The sending trading partner sends the hash value along with the data. The receiving trading partner, using the same one-way hash function, calculates the hash value for the received data message content. If the received hash value matches the calculated hash value, then the receiving trading partner is assured that the data content has not been tampered with or altered in any way.

Within the VersaLex LCOPY command, it is possible to encrypt and decrypt zip archive files according to the AES encryption standard (128-bit, 192-bit, and 256-bit).  Refer to http://www.winzip.com/aes_info.htm for further information on the AES-encrypted ZIP files. To encrypt or decrypt, certain parameters must be specified on the LCOPY command. See the editor dialog for the LCOPY command.

The Use-Password parameter is optional. When this parameter is set to True, a password must be specified. The length of the password determines the strength of the AES encryption key. Passwords with a length less than 8 characters are invalid as they are too weak. Passwords with a length between 9 and 32 characters have a 128-bit key, which is the weakest. Passwords with a length from 33 to 48 characters have a 192-bit key, and passwords with a length from 49 to 64 characters have a 256-bit key, which is the strongest.

The security of your data depends not only on the strength of the encryption method but also on the strength of your password, including factors such as length and composition. There are also measures that you can take to ensure your password is not disclosed to unauthorized third parties. If you type in the LCOPY command directly from the freeform editor of the Action tab, any password data will be shown in clear-text. For highest security when typing your password use the editor dialog box (which will not echo the clear-text password); or enter the LCOPY command, double-click on the new command to display the editor dialog box, and then click OK. After you click OK, the password is encrypted and cannot be observed by unauthorized parties.